analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

hanBot Crack.rar

Full analysis: https://app.any.run/tasks/fca54512-3b21-4470-881f-52cbb45ef4c2
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 08:30:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
orcus
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

19F587D342C9C9907206BE589CCD3066

SHA1:

730CA23ADACF30B7C25DECEC3CBE169A4BE0CE17

SHA256:

546452AFAB27DB77502978C8A0706B3F3D3C04AA700F31E95818A54F119DCC74

SSDEEP:

24576:lwCi+HGxfZXfhcJzgZU2726We63v/IqdWJQMvOMzOvVmYfkgQjh2:SCTc0zga7L3v3dwQMjCvYAkg2h2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • hanBot.Crack.exe (PID: 4028)
      • hanBot.Crack.exe (PID: 3376)
      • scthosts.exe (PID: 3356)
      • scthosts.exe (PID: 2732)
      • scthosts.exe (PID: 2196)
      • scthosts.exe (PID: 2808)
      • tcpstreaming.exe (PID: 2796)
      • tcpstreaming.exe (PID: 2968)

    • Task Manager has been disabled (taskmgr)

      • hanBot.Crack.exe (PID: 4028)
      • scthosts.exe (PID: 3356)
      • scthosts.exe (PID: 2196)

    • Orcus was detected

      • hanBot.Crack.exe (PID: 3376)
      • scthosts.exe (PID: 2732)
      • scthosts.exe (PID: 2808)

    • Changes the autorun value in the registry

      • scthosts.exe (PID: 2732)

    • Loads the Task Scheduler COM API

      • scthosts.exe (PID: 2732)

    • Orcus RAT was detected

      • tcpstreaming.exe (PID: 2796)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2920)
      • hanBot.Crack.exe (PID: 3376)
      • scthosts.exe (PID: 2732)

    • Creates files in the program directory

      • hanBot.Crack.exe (PID: 3376)

    • Application launched itself

      • scthosts.exe (PID: 3356)

    • Starts itself from another location

      • hanBot.Crack.exe (PID: 3376)

    • Creates files in the user directory

      • scthosts.exe (PID: 2732)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe hanbot.crack.exe #ORCUS hanbot.crack.exe scthosts.exe no specs #ORCUS scthosts.exe scthosts.exe no specs #ORCUS scthosts.exe no specs #ORCUS tcpstreaming.exe no specs tcpstreaming.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\hanBot Crack.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4028"C:\Users\admin\Desktop\hanBot Crack\hanBot.Crack.exe" C:\Users\admin\Desktop\hanBot Crack\hanBot.Crack.exe
explorer.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Exit code:
0
Version:
1.0.0.0
3376"C:\Users\admin\Desktop\hanBot Crack\hanBot.Crack.exe"C:\Users\admin\Desktop\hanBot Crack\hanBot.Crack.exe
hanBot.Crack.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Exit code:
0
Version:
1.0.0.0
3356"C:\Program Files\Orcus\scthosts.exe" C:\Program Files\Orcus\scthosts.exehanBot.Crack.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Exit code:
0
Version:
1.0.0.0
2732"C:\Program Files\Orcus\scthosts.exe"C:\Program Files\Orcus\scthosts.exe
scthosts.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Version:
1.0.0.0
2196"C:\Program Files\Orcus\scthosts.exe" C:\Program Files\Orcus\scthosts.exetaskeng.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Exit code:
0
Version:
1.0.0.0
2808"C:\Program Files\Orcus\scthosts.exe"C:\Program Files\Orcus\scthosts.exe
scthosts.exe
User:
admin
Company:
hanBot Company
Integrity Level:
HIGH
Description:
hanBot Scripting Crack
Exit code:
0
Version:
1.0.0.0
2796"C:\Users\admin\AppData\Roaming\tcpstreaming.exe" /launchSelfAndExit "C:\Program Files\Orcus\scthosts.exe" 2732 /protectFileC:\Users\admin\AppData\Roaming\tcpstreaming.exe
scthosts.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2968
Version:
1.0.0.0
2968"C:\Users\admin\AppData\Roaming\tcpstreaming.exe" /watchProcess "C:\Program Files\Orcus\scthosts.exe" 2732 "/protectFile"C:\Users\admin\AppData\Roaming\tcpstreaming.exetcpstreaming.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
3596"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 217
Read events
1 182
Write events
35
Delete events
0

Modification events

(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2920) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\hanBot Crack.rar
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2920) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2920WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2920.3892\hanBot Crack\hanBot.Crack.exeexecutable
MD5:16CEB981E4C852926BD15E5AC3650C2B
SHA256:9950C7BCAC1CF16EE68D0F41060C120E4173AA46EFAB7081C91A8750CB97F798
3376hanBot.Crack.exeC:\Program Files\Orcus\scthosts.exeexecutable
MD5:16CEB981E4C852926BD15E5AC3650C2B
SHA256:9950C7BCAC1CF16EE68D0F41060C120E4173AA46EFAB7081C91A8750CB97F798
3376hanBot.Crack.exeC:\Program Files\Orcus\scthosts.exe.configxml
MD5:A2B76CEA3A59FA9AF5EA21FF68139C98
SHA256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
2732scthosts.exeC:\Users\admin\AppData\Roaming\tcpstreaming.exe.configxml
MD5:A2B76CEA3A59FA9AF5EA21FF68139C98
SHA256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
2732scthosts.exeC:\Users\admin\AppData\Roaming\tcpstreaming.exeexecutable
MD5:913967B216326E36A08010FB70F9DBA3
SHA256:8D880758549220154D2FF4EE578F2B49527C5FB76A07D55237B61E30BCC09E3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
uyrtyrtyrtyhr.ddns.net
  • 0.0.0.0
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
hanBot Crack.rar